From 6e37635aace3c83024a745d6ea824395621e4614 Mon Sep 17 00:00:00 2001
From: Adrian G L <adrian@lauterer.it>
Date: Fri, 12 Jun 2026 13:25:23 +0200
Subject: [PATCH 1/3] ildkule/loki: firewall all endpoints except push API
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
---
 hosts/ildkule/services/monitoring/loki.nix | 23 +++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix
index 4eba3e6..67c5831 100644
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -3,14 +3,15 @@
 let
   cfg = config.services.loki;
   stateDir = "/data/monitoring/loki";
+  # internalPort = 83100;
 in {
   services.loki = {
     enable = true;
     configuration = {
       auth_enabled = false;
       server = {
-        http_listen_port = 3100;
-        http_listen_address = "0.0.0.0";
+        http_listen_port = 31832;
+        http_listen_address = "127.0.0.1";
         grpc_listen_port = 9096;
       };
 
@@ -81,5 +82,21 @@ in {
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
+  services.nginx.virtualHosts."loki-internal" = {
+    listen = [{
+      addr = "0.0.0.0";
+      port = 3100;
+      ssl = false;
+    }];
+    locations = {
+      "/loki/api/v1/push" = {
+        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}";
+      };
+      "/" = {
+        return = "403";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3100 ];
 }
-- 
2.54.0


From a1f02fc39d4ac6da9d14d9029b7528021291495c Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sat, 13 Jun 2026 03:22:18 +0900
Subject: [PATCH 2/3] {ildkule/loki,base/fluentbit}: send data over https

---
 base/services/fluentbit.nix                |  6 ++++--
 hosts/ildkule/services/monitoring/loki.nix | 20 +++++++-------------
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/base/services/fluentbit.nix b/base/services/fluentbit.nix
index 9f8a9b7..fff7cb1 100644
--- a/base/services/fluentbit.nix
+++ b/base/services/fluentbit.nix
@@ -62,8 +62,10 @@ in
           name = "loki";
           match = "*";
 
-          host = "ildkule.pvv.ntnu.no";
-          port = 3100;
+          host = "loki.pvv.ntnu.no";
+          port = 443;
+          tls = "on";
+          "tls.verify" = "on";
           uri = "/loki/api/v1/push";
           compress = "gzip";
 
diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix
index 67c5831..655d4e8 100644
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -3,7 +3,6 @@
 let
   cfg = config.services.loki;
   stateDir = "/data/monitoring/loki";
-  # internalPort = 83100;
 in {
   services.loki = {
     enable = true;
@@ -82,21 +81,16 @@ in {
     };
   };
 
-  services.nginx.virtualHosts."loki-internal" = {
-    listen = [{
-      addr = "0.0.0.0";
-      port = 3100;
-      ssl = false;
-    }];
+  services.nginx.virtualHosts."loki.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+
     locations = {
+      "/".return = "403";
       "/loki/api/v1/push" = {
-        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}";
-      };
-      "/" = {
-        return = "403";
+        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
       };
     };
   };
-
-  networking.firewall.allowedTCPPorts = [ 3100 ];
 }
-- 
2.54.0


From 3fee83ec05307377c604c95295e8e46689ae1578 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sat, 13 Jun 2026 03:23:12 +0900
Subject: [PATCH 3/3] ildkule/loki: restrict incoming connections to pvv + ntnu

---
 hosts/ildkule/services/monitoring/loki.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix
index 655d4e8..e9ea724 100644
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 
 let
   cfg = config.services.loki;
@@ -90,6 +90,15 @@ in {
       "/".return = "403";
       "/loki/api/v1/push" = {
         proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
+        extraConfig = ''
+          allow 127.0.0.1;
+          allow ::1;
+          allow ${values.ipv4-space};
+          allow ${values.ipv6-space};
+          allow ${values.ntnu.ipv4-space};
+          allow ${values.ntnu.ipv6-space};
+          deny all;
+        '';
       };
     };
   };
-- 
2.54.0